diff --git a/vendor.conf b/vendor.conf
index 2994f4dfd..e484f380c 100644
--- a/vendor.conf
+++ b/vendor.conf
@@ -1,6 +1,6 @@
 github.com/blang/semver v3.1.0
 github.com/boltdb/bolt v1.3.0-58-ge9cf4fa
-github.com/containerd/containerd 360e46ddda1733c8e237b8ce5a24470ffa08d306
+github.com/containerd/containerd cf09e32618398fc59fcb45bcfe9b4c0335972733
 github.com/containerd/continuity cf279e6ac893682272b4479d4c67fd3abf878b4e
 github.com/containerd/fifo fbfb6a11ec671efbe94ad1c12c2e98773f19e1e6
 github.com/containernetworking/cni v0.6.0
diff --git a/vendor/github.com/containerd/containerd/process.go b/vendor/github.com/containerd/containerd/process.go
index 6cea4c47a..536d8a85e 100644
--- a/vendor/github.com/containerd/containerd/process.go
+++ b/vendor/github.com/containerd/containerd/process.go
@@ -23,7 +23,7 @@ type Process interface {
 	// Delete removes the process and any resources allocated returning the exit status
 	Delete(context.Context, ...ProcessDeleteOpts) (*ExitStatus, error)
 	// Kill sends the provided signal to the process
-	Kill(context.Context, syscall.Signal) error
+	Kill(context.Context, syscall.Signal, ...KillOpts) error
 	// Wait asynchronously waits for the process to exit, and sends the exit code to the returned channel
 	Wait(context.Context) (<-chan ExitStatus, error)
 	// CloseIO allows various pipes to be closed on the process
@@ -104,11 +104,18 @@ func (p *process) Start(ctx context.Context) error {
 	return nil
 }
 
-func (p *process) Kill(ctx context.Context, s syscall.Signal) error {
+func (p *process) Kill(ctx context.Context, s syscall.Signal, opts ...KillOpts) error {
+	var i KillInfo
+	for _, o := range opts {
+		if err := o(ctx, p, &i); err != nil {
+			return err
+		}
+	}
 	_, err := p.task.client.TaskService().Kill(ctx, &tasks.KillRequest{
 		Signal:      uint32(s),
 		ContainerID: p.task.id,
 		ExecID:      p.id,
+		All:         i.All,
 	})
 	return errdefs.FromGRPC(err)
 }
diff --git a/vendor/github.com/containerd/containerd/spec_opts_unix.go b/vendor/github.com/containerd/containerd/spec_opts_unix.go
index 42a312fe5..db9735593 100644
--- a/vendor/github.com/containerd/containerd/spec_opts_unix.go
+++ b/vendor/github.com/containerd/containerd/spec_opts_unix.go
@@ -297,8 +297,9 @@ func WithUidGid(uid, gid uint32) SpecOpts {
 }
 
 // WithUserID sets the correct UID and GID for the container based
-// on the image's /etc/passwd contents. If uid is not found in
-// /etc/passwd, it sets uid but leaves gid 0, and not returns error.
+// on the image's /etc/passwd contents. If /etc/passwd does not exist,
+// or uid is not found in /etc/passwd, it sets gid to be the same with
+// uid, and not returns error.
 func WithUserID(uid uint32) SpecOpts {
 	return func(ctx context.Context, client *Client, c *containers.Container, s *specs.Spec) error {
 		if c.Snapshotter == "" {
@@ -329,6 +330,10 @@ func WithUserID(uid uint32) SpecOpts {
 		}
 		f, err := os.Open(ppath)
 		if err != nil {
+			if os.IsNotExist(err) {
+				s.Process.User.UID, s.Process.User.GID = uid, uid
+				return nil
+			}
 			return err
 		}
 		defer f.Close()
@@ -339,7 +344,7 @@ func WithUserID(uid uint32) SpecOpts {
 			return err
 		}
 		if len(users) == 0 {
-			s.Process.User.UID = uid
+			s.Process.User.UID, s.Process.User.GID = uid, uid
 			return nil
 		}
 		u := users[0]
@@ -349,8 +354,9 @@ func WithUserID(uid uint32) SpecOpts {
 }
 
 // WithUsername sets the correct UID and GID for the container
-// based on the the image's /etc/passwd contents. If the username
-// is not found in /etc/passwd, it returns error.
+// based on the the image's /etc/passwd contents. If /etc/passwd
+// does not exist, or the username is not found in /etc/passwd,
+// it returns error.
 func WithUsername(username string) SpecOpts {
 	return func(ctx context.Context, client *Client, c *containers.Container, s *specs.Spec) error {
 		if c.Snapshotter == "" {
diff --git a/vendor/github.com/containerd/containerd/task.go b/vendor/github.com/containerd/containerd/task.go
index 787db09fc..93a57e545 100644
--- a/vendor/github.com/containerd/containerd/task.go
+++ b/vendor/github.com/containerd/containerd/task.go
@@ -163,10 +163,17 @@ func (t *task) Start(ctx context.Context) error {
 	return errdefs.FromGRPC(err)
 }
 
-func (t *task) Kill(ctx context.Context, s syscall.Signal) error {
+func (t *task) Kill(ctx context.Context, s syscall.Signal, opts ...KillOpts) error {
+	var i KillInfo
+	for _, o := range opts {
+		if err := o(ctx, t, &i); err != nil {
+			return err
+		}
+	}
 	_, err := t.client.TaskService().Kill(ctx, &tasks.KillRequest{
 		Signal:      uint32(s),
 		ContainerID: t.id,
+		All:         i.All,
 	})
 	if err != nil {
 		return errdefs.FromGRPC(err)
diff --git a/vendor/github.com/containerd/containerd/task_opts.go b/vendor/github.com/containerd/containerd/task_opts.go
index 3dcab170f..36bbfab94 100644
--- a/vendor/github.com/containerd/containerd/task_opts.go
+++ b/vendor/github.com/containerd/containerd/task_opts.go
@@ -41,7 +41,7 @@ func WithProcessKill(ctx context.Context, p Process) error {
 	if err != nil {
 		return err
 	}
-	if err := p.Kill(ctx, syscall.SIGKILL); err != nil {
+	if err := p.Kill(ctx, syscall.SIGKILL, WithKillAll); err != nil {
 		if errdefs.IsFailedPrecondition(err) || errdefs.IsNotFound(err) {
 			return nil
 		}
@@ -51,3 +51,17 @@ func WithProcessKill(ctx context.Context, p Process) error {
 	<-s
 	return nil
 }
+
+type KillInfo struct {
+	// All kills all processes inside the task
+	// only valid on tasks, ignored on processes
+	All bool
+}
+
+type KillOpts func(context.Context, Process, *KillInfo) error
+
+// WithKillAll kills all processes for a task
+func WithKillAll(ctx context.Context, p Process, i *KillInfo) error {
+	i.All = true
+	return nil
+}